I want to share with my experience with SANS 504 course and exam. This spring I applied for few work/study opportunities with SANS. Among them was a local one, community SANS Ottawa – SEC504 Certified Incident Handler. When I got the approval from SANS I wasn’t anymore a permanent employee, I was a contractor. I hesitated for a couple of hours if I should go or not, and the drawback was the loss of $$$ caused by the absenteeism from work. Finally, I decided that the experience of a live SANS course worth more than the buck loss.

The course was between 11 – 16 June, in Gatineau, a suburb of Ottawa (different province, but still Ottawa’s suburb ). The instructor was Adrien de Beaupre. Adrien is an old fox, if I may say so. He is in the security industry for a long time, he is an incident handler with SANS, and he saw a lot during he’s career. He has tons of experience in incident handling and penetration testing. I can say that the fact that he was the teacher contributed 10% to my decision to go to the course, and I was right about it.

So, on a hot Sunday afternoon we prepared the classroom and all the material for the course. Monday morning I’ve put on my red apron, and I distributed the books to the students. I can say that the whole administrative process went without problems.

Being a local event the class was very small, circa 22 students. Most of them were from different governmental agencies – army, blue eyes, government itself… (last time when I saw so many skinheads in one room was when I was in the navy ). The advantage of this crowd was that they were disciplined, no smart-asses, no troubles during the course. Their problem is that their patrons don’t pay for the exam, so they’ll only do the course. In my opinion, this is very bad, because there is a lot more to learn after the six days of the live course. Not doing the cert will not motivate/force them to continue studying.

Here are some notes I made during the class:

Day 1Very interesting topics and most of the students participate in the discussions. Now I convinced myself that Adrien really knows how to teach and to make things interesting.

Day 2I am very familiar with the scanning tools like Nmap and Nessus, so this day wasn’t so impressive for me. Par contre, I had colleagues that were really, really excited, and one even told me “This course perfectly fits my needs. Now I can defend against my CIO different portscans, because I run Nmap and I know how it works.” This really impressed me.

Day 3

Things are becoming interesting. Now I can see the difference between GPEN and GCIH. GCIH talks a lot about how to prepare against incidents and how to detect some of them.All the students are excited about the course. Most of them are overwhelmed by material, but are happy about it.

Day 4

Things are really interesting. I like that they don’t insist so much on the offensive part, but there is a lot of defensive.

Day 5For me this is the most complicated/interesting day. Rootkits… (I will study deeper in this subject after this class.) Nice and interesting exercises. Most of the other students are lost. They are browsing the internet, have a tunnel vision…

Day 6Capture the FlagI made team with three other guys. Our background was very different, from the novice in the offensive stuff (but very motivated) to the more experienced ones. The challenge was interesting, and we had to apply what we have learned during the class. Of course that my team won

After this wonderful experience I continued studied on my own. Because of home renovations I didn’t had too much time to study at home. I listened to the mp3s, and I watched some videos for the more complicated subjects. Luckily, I wasn’t that busy at work, and I did find some time to study, and to go through the OnDemand questions.

As I previously said about these questions, after my GWAPT experience, they really help someone to study harder. If you are able to pass all the OnDemand questions without the aide of books you are ready for the exam. Many of the OnDemand questions are very tool oriented, but this is not a bad thing; it will make you study more.

I learned a lot, even for the subjects where I was more knowledgeable (like Nmap or Nessus). Every time you listen to the mp3s you discover something new. Ed Skoudis is also an excellent teacher, with a lot of experience, and with wonderful teaching skills. He knows how to hook a class.

This course was a beautiful experience, and, more important, it motivated me to become an even better defender. It is my opinion that it is incomparable easier to be a pentester than to be a defender. Worst, it is very hard to take real proactive measures in an enterprise. Exception will be some shiny useless boxes, that a vendor sold your boss as “the next thing” . In the next year I’ll concentrate more on the defensive studies, before going back to pentesting.

After I passed all the OnDemand questions without the use of the books, and after I put post-it on my books, I was ready to sit for the exam. I did the two practice exams the day before the exam, without the aide of the books, and I did pretty well at them.

I scheduled the exam for a Saturday. Sitting for the exam in a Saturday afternoon was an excellent choice for me because I was able to have a good sleep, and there is no rush. The test center was all right, and there weren’t too many takers.

I can say that I really liked the exam. The questions were common sense; I didn’t saw many tools related questions, like the ones on the OnDemand. The questions on the exam tested the knowledge relative to the subject itself. There were many questions where you could use the books to get the answer, if you really wanted to be sure that you don’t do stupid mistakes. But, you don’t need the books to pass the exam. Probably you need them to get a very high grade. My favourite questions were the ones where they gave you a real situation and ask about your reaction to this problem. You’ll see some of these on the practice exams. As an example you’ll have a dump of traffic and you’ll have to recognize the type of event, and to propose the countermeasure. Those were really interesting, and very pertinent to the subject tested itself.

So, after 3 hours of intense concentration I finished the exam with a score of 96%, which made me really happy .

All this experience left me with a warm feeling, and I barely wait to sit for my next exam.